Security at Postman

Data security

All customer data at Postman is stored securely and with high redundancy. This helps reduce the risk of data loss and ensures continuous availability. We use a relational database service configured to ensure data is stored with at least dual redundancy and maintain 15-day backups. Data is accessible only within our private cloud, and we implement per-service access protection and data isolation to enhance security.

We use cryptographic methods and industry standards to protect customer data in transit between Postman clients, the cloud, and at rest. For example, all communications and data in transit over the internet require the latest version of Transport Layer Security, a cryptographic protocol that provides end-to-end encryption. By default, encryption is also enabled on all our services that contain data at rest.

Also, your sensitive data at rest is encrypted on the server side before storage using AES-256-GCM. The Advanced Encryption Standard with Galois Counter Mode (AES-GCM) provides authenticated encryption, which ensures data confidentiality and integrity.

Other encryption methods include securing customer and company data at the application layer using AES-256-GCM. We encrypt sensitive data, including environment variables, access and refresh tokens, and Amazon Web Services (AWS) secret keys. Postman also encrypts your data using a key management service from AWS. In addition, we have key management capabilities to encrypt sensitive data at the application layer.

We further maintain all internal testing and validation data in a production-stack equivalent internal stack populated with fictitious data, meaning Postman does not distribute customer data for internal testing or validation purposes.

To download assurance reports, access the Postman Security and Trust Portal.

Key security features

Postman Vault

Postman Vault lets you store sensitive data as vault secrets in your local instance of Postman. Only you can access and use your vault secrets, and they aren't synced to the Postman cloud.

Postman API key management

You can manage the Postman API keys that your team creates at scale, ensuring you maintain compliance and security across your organization. Teams can control the creation of API keys, their expiration dates, and revoke keys when needed.

API Governance and API Security

Customers, security teams, and developers can use configurable security rules and capabilities to improve API governance and security, such as identifying weaknesses and areas for improvement.

Audit logs

Audit logs display events related to your team, users, and billing. You can track key activities related to security access and team management for the past 180 days. Visit the Postman Learning Center to learn more.

Secret Scanner

The Postman Secret Scanner examines your public workspaces, collections, environments, and documentation to find accidentally exposed secrets. Learn how to use the Secret Scanner, which is turned on by default.

Role-based access control

Postman helps you to assign granular access to users in our product with roles and permissions. Such roles define user permissions within a Postman team and a user's level of access to a Postman element, such as a collection or an API, helping you secure your data.

Two-factor authentication (2FA)

You can enable 2FA for your Postman account to add an extra layer of security when you log in using a password.

Infrastructure security

For our hardware, we contract with cloud providers that adhere to global privacy and security regulations and standards. We also have a rigorous process to minimize cybersecurity risk while onboarding and offboarding vendors.

Our infrastructure runs on data centers provided by Amazon Web Services (AWS). We leverage several security and privacy-focused features. Also, our infrastructure runs on stable, regularly patched versions of Amazon Linux. It has configured security groups and isolated virtual private cloud environments with well-defined network segmentation, role-based access control, and advanced web-application firewall protection.

Physical and environmental security

Postman has no in-house data centers and uses AWS to manage its data centers' physical and environmental security. Our company's product data and backups are hosted on AWS servers in the EU and U.S., which offer strong security and privacy-focused features.

Additionally, our internal security program covers physical security at our offices around the world.

Software security

Our applications run on the latest stable version of Node.js, an open-source programming language.

Postman has controls at every layer and phase of development to secure its applications during the software development lifecycle, deployment, and operation phases. We use security frameworks and industry standards throughout our software development lifecycle. We further uncover any OWASP vulnerabilities during software security testing before releasing new products or features.

In addition, our company's automated and manual code review processes search for any code that could potentially violate corporate security policies. Importantly, we also train our software developers to follow best security practices around coding and collaboration.

Other practices involve setting architectural security guidelines. We also minimize risks to our applications by isolating them through containerization, which keeps software in secure containers. Furthermore, third-party firms validate the security of Postman's product ecosystem annually.

We also oversee the software installed on Postman systems and can quickly mitigate any issues. Any installed software is reported to a central repository for analysis. Also, we have patching mechanisms built into the operating systems to update devices automatically.

Payment processing

We process all payments using Stripe, which has been certified as a Payment Card Industry Data Security Standard (PCI DSS) Level 1 Service provider.

Vulnerability management

We monitor the security of our products and applications through various ongoing activities, including regularly scheduled Vulnerability Assessment and Penetration Testing (VAPT) for all product releases.

We also conduct vulnerability scans on the network, application, and operating system layers at regular intervals throughout the year. Additionally, we promptly patch vulnerabilities in accordance with standard service level agreements and policies.

All issues found are assigned a score using the Common Vulnerability Scoring System (CVSS), an owner, and a deadline based on an internal Service Level Agreement (SLA) for fixing vulnerabilities. We also may remove and turn off services.

Additionally, we use an automated tool for source code analysis, which runs before every production release. This tool covers vulnerabilities in open-source software and libraries. You can view applicable third-party licenses and a list of open-source software.

Penetration testing

In addition to our regular security reviews, we partner with trusted third-party companies to perform annual penetration tests across our product ecosystem.

Bug bounty program

We invite anyone to identify and report potential security vulnerabilities in the API Platform. Postman runs a private bug bounty program with HackerOne.

Please review our security reporting guidelines and policy.

Attack prevention and mitigation

We log activity across our platform, from individual API requests to infrastructure configuration changes. Logs are aggregated for monitoring, analysis, and anomaly detection and archived in vaulted storage.

Our company further implements measures to detect and prevent log tampering or interruptions. To determine security breaches, we monitor access patterns and network data flow patterns using automated systems that alert us in case of an anomaly. In addition, we run automated scans on each feature release to ensure we reduce any security issues from third-party libraries.

Also, our leadership team is notified automatically in the event of a customer-reported breach. In accordance with Postman's corporate policies, we respond to the report within a few hours.

Incident response

Our company has incident response policies and procedures to help mitigate cyber risks around service availability, integrity, security, privacy, and confidentiality. As a result, we train our Postman teams to:

• Promptly respond to alerts of potential incidents
• Analyze and assess the severity of potential incidents
• Execute mitigation and containment measures
• Communicate with relevant internal and external stakeholders. Doing so includes notifying affected customers and meeting contractual obligations around breach or incident notifications.
• Gather and preserve forensic evidence for investigative efforts
• Conduct and document a postmortem while developing a permanent triage plan

The incident response policies and processes are audited as part of our System and Organization Controls (SOC 2) and other security assessments.

Explore our status page for service availability information.

Shared responsibility model

Through our shared responsibility model, we rely on our users to help safeguard their data and credentials in Postman. We strongly encourage customers, security teams, and developers to use Postman securely.

For more information, read best practices to help you keep your sensitive data secure and private in Postman.